An Introduction to Snort: A Lightweight Intrusion Detection System
Snort is a self-described "Lightweight Intrusion Detection System" that can easily be incorporated into any network security architecture.
What Is An Intrusion Detection System?
As with any area in life, people tend to have a need to classify what an object is before they interact with it. Like everything else in IT, Intrusion Detection Systems (IDS) are rife with TLAs (Three Letter Acronyms). Security experts use acronyms such as IDS, NIDS, HIDS, Hybrid-IDS, and so on to try and describe and classify a product. So, what do all of those acronyms mean, and why should you care? The main reason to learn them is to try and cut through the hype and "marketing-speak" that tend to permeate many otherwise technical conversations. Let's start by identifying a few of them:
IDS—Intrusion Detection System. An intrusion detection system is the generic term given to any hardware, software, or combination of the two that monitors a system or network of systems looking for suspicious activity.
NIDS—Network Intrusion Detection System. A Network Intrusion Detection System is an IDS that monitors all network traffic on the wire looking for suspicious activity. A NIDS' job is complicated with modern networking architecture improvements such as network switches, VLANs, and high-speed (DS3, 100Mb/s Ethernet or faster) uplinks.
HIDS—Host Intrusion Detection System. A Host Intrusion Detection System is an IDS that monitors the status of a specific host. HIDSs generally monitor system configuration files, databases, filesystem activity, system or event logs, and so on for changes, additions, or other suspicious activity.
Hybrid-IDS—Hybrid Intrusion Detection System. A Hybrid-IDS would monitor network traffic, although it would generally do this in a nonpromiscuous way, meaning that it would monitor only traffic destined for that host. Additionally, the Hybrid-IDS would monitor the same host sources that a HIDS would. The Hybrid-IDS would then correlate the two data sources, and attempt to provide a preliminary analysis.
Next, we'll take a look at which of these may be appropriate for your network.